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Abstract 


Rabi and Sherman [RS97] presented novel digital signature and 
unauthenticated secret-key agreement protocols, developed by themselves and 
by Rivest and Sherman. These protocols use “strong,” total, commutative (in 
the case of multi-party secret-key agreement), associative one-way functions as 
their key building blocks. Though Rabi and Sherman did prove that associative 
one-way functions exist if P A NP, they left as an open question whether any 
natural complexity-theoretic assumption is sufficient to ensure the existence of 
“strong,” total, commutative, associative one-way functions. In this paper, we 
prove that if P A NP then “strong,” total, commutative, associative one-way 
functions exist. 
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1 Introduction and Preliminaries 


Rabi and Sherman ||RS97 1 study associative one-way functions (AOWFs) and show that 
AOWFs exist exactly if P A NP. They also present the notion of strong AOWFs—AOWFs 
that are hard to invert even when one of their arguments is given. They give protocols due 
to Rivest and Sherman for two-party secret-key agreement and due to Rabi and Sherman 
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for digital signatures, that depend on strong, total AOWFs. They also outline a protocol 
approach for multi-party secret-key agreement that depends on strong, total, commutative 
AOWFs. 

There are two key worries regarding the Rabi-Sherman approach. The first is whether 
their protocols are secure even if strong, total, commutative AOWFs exist. This worry 


has two facets. The first facet is that, as they note, like Diffie-Hellman [DH76,DH7£] the 
protocol they describe has no current proof of security (even if the existence of strong, 
total, commutative AOWFs is given), though Rabi and Sherman give intuitively attractive 
arguments suggesting the plausibility of security. In particular, they prove that certain 
direct attacks against their protocols are precluded by the fact that the protocols use strong, 
total AOWFs as building blocks. The second facet of the first worry is that their definition 
of strong, total, commutative AOWFs is a worst-case definition, as opposed to the average- 
case definition one desires for a satisfyingly strong approach to cryptography. 

The second worry is that Rabi and Sherman provide no evidence at all that strong, total, 
commutative AOWFs exist, though they do prove that AOWFs exist if P 7 ^ NP.[] In this 
paper we completely remove that worry by proving that strong, total, commutative AOWFs 
exist if P 7 ^ NP. (In light of the above-mentioned first worry—and especially its second 
facet—we note, as did Rabi and Sherman, that the study of AOWFs should be viewed as 
more of complexity-theoretic interest than of applied cryptographic interest, though it is 
hoped that AOWFs will in the long term prove, probably in average-case versions, to be of 
substantial applied cryptographic value.) 

Phrasing our work in a slightly different but equivalent way, in this paper we prove that 
the existence of AOWFs (or, indeed, the existence of any one-way function) implies the 


existence of strong, total, commutative AOWFs. Furthermore, based on Kleene’s [ Kle52 ] 
distinction between weak and complete equality of partial functions, we give a definition 
of associativity that, for partial functions, is a more natural analog of the standard total- 
function definition than that of Rabi and Sherman, and we show that their and our results 
hold even under this more natural definition. 

Fix the alphabet £ = {0,1}, and let £* denote the set of all strings over £. The length 
of any string x € £* will be denoted by |xj. Throughout this paper, when we use “binary 
function” we mean “two-argument function.” Unless explicitly stated as being total, all 
functions may potentially be partial, i.e., “let a be any binary function” does not imply 
that a will necessarily be total. For any binary function er, we will interchangeably use 
prefix and infix notation, i.e., a(x,y) = xay. As is standard, pairs of strings will sometimes 


1 We mention that, after we sent this paper to them, they (Sherman, personal communication, June 
1998) informed us that they had had discussions and proof sketches towards achieving the claim that strong 
AOWFs exist if P yf NP. 


2 







be encoded as a single string by some standard total, one-to-one, onto, polynomial-time 
computable pairing function, (-,•): £* x £* —> £*, that has polynomial-time computable 
inverses, and is non-decreasing in each argument when the other argument is fixed. Let FP 
denote the set of all polynomial-time computable (partial) functions. Regarding Part ^ of 
the following definition, we mention that we use the term “one-way function” in the same 
way Rabi and Sherman [RS97] do, i.e., in the complexity-theoretic (that is, worst-case) 
sense, and without requiring that the function necessarily be injective. 


Definition 1.1 Let a : X* x X* —> X* be any binary function. 

1. We say a is honest if and only if there exists some polynomial p such that for every 
z £ range(a) there exists a pair (x,y) £ domain(fj) such that xay = z and \x\ + |y| < 

p{ M )-0 

2. We say a is FP-invertible if and only if there exists a total function g G FP such that 
for every z G range(cr), g(z) is some element of a~ 1 (z) = {(x, y) G domain (<r) | xay = 
z}. 

3. We say a is a one-way function if and only if a is honest, polynomial-time computable, 
and not FP-invertible. 


Rabi and Sherman | RS97| define a notion of associativity for binary functions as follows: 


Definition 1.2 Let o : X* x X* —>■ X* be any binary function. We say o is weakly 
associative^ if and only if x o (y o z) = (x o y) o z holds for all x,y,z G X* such that 
each of (x,y), (y,z), (x,yoz), and (x o y,z) is an element o/domain(o). 


This type of associativity, however, is not natural for non-total functions, since it does 
not evaluate as being false “equations” such as “undefined = 1010” (this can occur in 
x o (y o z) = (x o y) o z in various ways, e.g., if (x, y), (x o y. z), and (y, z) are in the domain 
of o but ( x,y o z) is not). It would seem more natural for a definition of associativity for 
binary functions to require that both sides of the above equation stand or fall together. 
That is, for each triple of strings x,y,z G £*, either both sides should be defined and equal, 
or each side should be undefined. Drawing on Kleene’s careful discussion of how to define 
equality between partial functions, our definition of associativity—given in Definition 1.3 
below—achieves this natural behavior. 

Associativity expresses equality between two functions each of which can be viewed 
as a 3-ary function that results from a given binary function. The distinction in the two 


2 This definition of honesty for binary functions is that of Rabi and Sherman [RS97], and is equivalent 
to requiring |(x,?/)| < p(|z|), since there exists some polynomial q (that depends on the pairing function 
chosen) such that for every x,y £ £*, |(a:,j/)| < q{\x\ + |?/|) and \x\ + \y\ < q{\(x,y)\). 

l! They call this “associative,” but for reasons we will immediately make clear, we use “weakly associative” 
to describe their notion. 
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definitions of associativity can be said to come from two distinct interpretations of “equality” 
between functions, known in recursive function theory as weak equality and complete equality 


(see Kleene [Kle52]). Kleene suggests the use of two different equality symbols—we will use 
“=tu” and “= c ” and we have modified the following quotation to use these also—and he 
writes: 

We now introduce “^(aq,... ,x n ) = c %(aq,... ,x n )” to express, for particular 
aq, ... , x n , that if either of ^(aq,... , x n ) and x(aq,... , x n ) is defined, so is the 
other and the values are the same (and hence if either of fi(x\,... ,x n ) and 
x(aq,... ,x n ) is undefined, so is the other). The difference in the meaning of 
(i) V(aq, • • • ,x n ) = w x(xi,... ,x n )” and (ii) “^(aq, • • • ,x n ) = c x(%i, ■ ■ ■ ,x n )” 
comes when one of fi{x\,... ,x n ) and %(aq,••• i x n) is undefined. Then (i) 
is undefined, while (ii) is true or false according as the other is or is not 
undefined.— [ Kle52| , pp. 327-328] 


We feel that complete equality is the more natural of the two notions. Thus, following 
the notion of complete equality between functions, we propose the following definition of 
associativity for binary functions. Nonetheless, we will show that the results of Rabi and 
Sherman [RS97] and of the present paper hold even under this more restrictive definition. 
In a similar vein, we also define commutativity for (partial) binary functions. 


Definition 1.3 Let cr : £* x £* — > £* be any binary function. Define T = S* U {_L} and 
define an extension S TxT-t T of a as follows: 

I a(a , b) if a _L and b _L and (a, b ) G domain(cr) 
a [a, b) = < 

I _L otherwise. 

We say a is associative if and only if, for every x,y,z € £*, (xay)az = xa(yaz). We say 
a is commutative if and only if, for every x,y £ £*, xay = yax ( i.e., xay = c ycrx). 

Clearly, every associative function is weakly associative, since our notion of associativity 
is more restrictive than weak associativity. The converse, however, is not always true, so 
these are indeed different notions. 


Proposition 1.4 1. Every associative binary function is weakly associative. 

2. Every total binary function is associative if and only if it is weakly associative. 

3. There exists a binary function that is weakly associative, but not associative. 
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Proof. ([j]) and (;2|) are immediate from the definitions. To prove (|^j), we define the following 
binary function a : E* X E* —► E*: 


a(a, b) = < 


111 if a = 1 and 6 = 11 

0 if a = 111 and b = 1111 

undefined otherwise. 


By “undefined” above we do not mean some new token “undefined,” but rather we simply 
mean that for cases handled by that line of the definition (a, 6) ^ domain(cr). 

Let <7 be the extension of a defined in Definition |1.3| . Note that (loTl)cfllll = 0, but 
1 it(11(tH 11) = _L. Thus, a is not associative. However, cr is weakly associative, since no 


three strings in E* satisfy the four domain conditions required in Definition 1.2 


Definition 1.5 1. A binary function a : E* x £ 

both associative and a one-way function. 


2. |RS97f| A binary function a : E* x E* —> 
weakly associative and a one-way function. 


E* is an AOWF if and only if a is 
E* is an ADWF if and only if a is both 


Rabi and Sherman [ RS97f| also introduce the notion of strong one-way functions—binary 
one-way functions that are hard to invert even if one of their arguments is given. Strongness 
clearly implies one-way-ness. (We note that “strongness” here should not be confused with 
the property of strong-FP-invertibility of functions introduced by Allender | A1186| . A1185| ] .) 
To avoid any possibility of ambiguity we henceforward, when using equality signs with 
partial functions, will make it explicit that by equality we mean = c . 


Definition 1.6 A binary function a is said to be strong if and only if a is not FP -invertible 
even if one of its arguments is given. More formally, binary function a is strong if and 
only if neither (a) nor (b) holds: 

(a) There exists a total function g\ E FP such that for every z E range(u) and for each 

x E E*, if a(x, y ) = c z for some y E E*, then a(x, gi((x, z))) = c z. 

(b) There exists a total function g 2 E FP such that for every z E range(a) and for each 
y E E*, if cr(x, y) = c z for some x E E*, then <j(g 2 {{y , z)),y) = c z. 


2 Main Result 


Rabi and Sherman [RS97] show that A v OWFs exist if and only if P / NP. They present 
no evidence that strong A v OWFs exist, and they establish no structural conditions sufficient 


to imply that any exist. Solving these open questions, we show in Theorem 2.1 below that 
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there exist strong, total, commutative ifOWFs (equivalently, strong, total, commutative 
AOWFs) if and only if P + NP. 

Theorem 2.1 The following are equivalent. 

1. P 7 ^ NP. 

2. There exist A w OWFs. 

3. There exist AOWFs. 

4- There exist strong, total, commutative A w OWFs. 

5. There exist strong, total, commutative AOWFs. 


Proof. By Proposition |1.4| .0, (0) and (jS!) are equivalent. Rabi and Sherman []RS97|1 have 
shown the equivalence of © and ( 0 ), by exploiting the associativity of the closest common 
ancestor relation for configurations in the computation tree of nondeterministic Turing 
machines. Since (j|) (and, equivalently, ([|)) implies (j||) and (3j), and since each of (pj) and 
(|0) implies (]lj) (by Proposition 0-0 and by the equivalence of (||) and (0)) , it suffices to 
show that ( 1 ) implies (| 0 ) to establish the theorem. 

Assume P NP, and let A be a set in NP —P. Let M be a nondeterministic polynomial¬ 
time Turing machine accepting A. By a witness for “x £ A” we mean a string w £ E* 
that encodes some accepting computation path of M on input x. Assume, without loss 
of generality, that for each x G A, every witness w certifying that x G A satisfies |u;| = 
p(|x|) > \x\ for some strictly increasing polynomial p depending on M. For each string x , 
define the set of witnesses for u x G A” (with respect to M ) by 


Wm( x) = \w is a witness for “x G A”}. 


Note that if x fL A then Wm(x) = 0. 

For any strings u,v,w G E*, min(tt,n) will denote the lexicographically smaller of u 
and v, and min(u, v , w) will denote the lexicographically smallest of u, v, and w. Define the 
binary function a : E* X E* —» E* by 

(x,min(u;,y)) if (dx G E*) (3w,y G Wm(x)) [a = (x,w) A b = (x,y }] 

(x,x) if (3x G S*) (3w G Wm(x)) [(o = (x,x) A b = (x,w)) 

erf a, b) = 

V (a = (x, w) A b = (x, x))] 

undefined otherwise. 

On our way towards a proof that (Tj) implies ([5|), we will first prove that the function a 
defined above is a strong, commutative AOWF. Then we will show how to extend cr to a 
strong, total, commutative AOWF, thus establishing (J5|). 
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a is clearly honest. Also, a G FP. That is, given (a, b ) as the input, it is easy to decide in 
polynomial time whether (a, b ) G domain(cr), and if so, which of (x, x) or (x, w) for suitable 
x G E* and w G Wm(x) should be output as the value of a (a, &).Q 

Now, we show that a cannot be inverted in polynomial time, even if one of its arguments 
is given. Assume, for instance, that there exists a total function <72 G FP such that given 
any z in the range of a and any second argument b for which there is some a G E* with 
a(a,b) = c z, it holds that a(g 2 ({b, z)),b) = c z. Then, contradicting our assumption that 
A ^ P, A could be decided in polynomial time as follows. On input x, to decide whether or 
not x € A, compute g 2 (((x,x), (x,x))), interpret it as a pair (d,e), and accept if and only 
if d = x and e G Wm(x). An analogous proof works for the case of a fixed first argument. 


Thus, neither (a) nor (b) of Definition 1.6 holds, so a is a strong one-way function 


We now prove that <7 is associative. Let a be the extension of a from Definition |L3| . Fix 
any strings a = (a±, 02 ), b = (b\, 62 )) and c = (ci, C 2 ) in E*. Let k equal how many of 02 , 62 , 
and C2 are in Wm(cli). For example, if 02 = 62 = C2 G WAf(aq), then k = 3. To show that 


(2.a) 


( adb)ac = aa(bac ) 


holds, we distinguish the following cases. 

Case 1: [ai 7^ 61 V oq 7^ c\ V 61 7^ ci]. In light of the definition of a, we have 
(2.b) ( aab)ac = _L = aa(bac). 


Case 2: [aq = b\ = c\ A {a2,&2,C2} % {ai} U Wm(cli)\. (| 2 .b|) holds here too, in light of 
the definition of u. 

Case 3: faq = b\ = c\ A {02, &2, C2} C {ai} U Wm(cl i)]- In this case, note that a decreases 
by one the number of witnesses, in particular preserving the lexicographic minimum 
if both arguments contain witnesses for “oq G A,” outputting (oq, oq} if exactly one of 
its arguments contains a witness for “ai G A,” and outputting _L if neither contains a 
witness for “oq G A.” So it is not hard to see that (in the current case) if k G {0, 1} 


then (2.b) holds, if k = 2 then 


(■ aab)ac = (aq,ai) = aa(bac) 


holds, and if k = 3 then 

( aab)ac = (oq, min(a 2 , 62 > c 2 )) = aa(bac) 

4 Recall our assumption that for each x € A, every witness w for “a: £ A” satisfies |ia| = p(|*|) > |*|. This 
assumption ensures that there is no ambiguity in determining whether a and b are of the form (a;, x) or of the 
form (*, PotentialWitness), and checking items of the form (x, PotentialWitness) is easy as HmW 

is in P. 
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holds. 


Note that in each case (La) is satisfied. Furthermore, it is easy to see from the definition 
of a that a is commutative. Thus, a is a strong, commutative AOWF, as claimed earlier. 


Finally, to complete the proof, we now show how to extend a to a strong, total , 
commutative AOWF.^j The fact that er is an AOWF (rather than merely an ADWF) 
helps us avoid the key problem in Rabi and Sherman’s extension attempt (see Footnote |5|). 

Fix any string .To 0 A (one must exist, since A g P). Let ao be the pair (xo, lxo). Note 
that ao is neither of the form (x,x) for any x E £*, nor of the form (x,w) for any x E E* 
and any witness w E Wm(x) (because xq ^ A and thus does not have any witnesses). 
Note that, by the definition of a, for each y, (ao,y) domain(cr) and (y, ao) 0 domain(cr). 
Define the total function r : E* x S* -> S* as follows: Whenever (a, b ) E domain(cr), define 


5 Rabi and Sherman ||R.S97 | give a construction that they claim lifts any ADWF whose domain is in P 
to a total jfOWF. However, it is far from clear that their construction achieves this. In fact, we show that 
any proof that their construction is valid would immediately prove that UP = NP. (Note: Valiant’s class 
UP consists of those languages accepted by nondeterministic polynomial -time Turing machines having the 
property that on all inputs they have no more than one accepting path Val76j.) In particular, we provide 
the following counterexample to Rabi and Sherman’s assertion, the proof of which shows that if UP ^ NP 
then their construction does not always preserve weak associativity. 


Proposition 2.2 If UP NP, then there exists an A"OWF a, satisfying (3a) [(a, 2) ^ domain(d)] and 
having domain in P, such that the construction that Rabi and Sherman claim converts ADWFs into total 
A'OWFs in fact fails on a. 


We prove the proposition as follows. Fix a set A' £ NP — UP and an NP machine M' accepting A'. Let the 
polynomial p' and, for each x, let the witness sets Wm' (*) be defined analogous to the definitions of p and 
Wm{x) earlier in the proof of Theorem 2.1. Define the binary function a : E* x E* —> E* by 


a(a, b) 


r if (3* £ E*) (3w £ Wm'{x)) [a = (x,w) = 6] 

(x,x) if (3a; £ E*) (3w £ Wm’(x)) [(a « {x,x) A b=(x,w }) 

V (a = (x,w) A b = (x,*))] 

undefined otherwise. 


It is not hard to verify that a is indeed an iTOWF. Let a be a fixed string such that (a, a) 0 domain(d). For 
the particular function a defined above, such a string a indeed e xist s (e.g., let a = (xo , lxo} for any particular 
fixed x o (jL A ' , see the discussion of ao in the proof of Theorem 2.1 as to why this is right)- in contrast, the 
“c” of [RS97, p. 242, 1. 10] may not in general exist. Now, using the Rabi-Sherman technique, extend a to a 
total function, f, the same way we will obtain the total extension t of a later in the proof of Theorem 13- 
Fix some string x £ A' that has two distinct witnesses w and y in Wm'(x) (such x, ut, and y exist, as 
A' UP), and let a = (x,w), b = (x,y), and c = (x,x). Then, we have ( afb)rc = a (x,x) = af(brc), and 
thus f is not associative (and thus, as it is total, is not weakly associative). (The reason that ( afb)fc = a 
may not be clear to the reader; to see why this holds, one must look at the Rabi-Sherman technique of 
extending a to f, which, very informally, is to use a as a dumping ground.) We mention that, for essentially 
the same reason, a is not associative (and th us i s not an AOWF), since ( aab)ac = _L ^ (x,x) = aa(bcrc), 
where a is the extension of a from Definition 


1.3 


Even if Rabi and Sherma n’s pro of were valid, their claim would not be particularly useful to them, as 
the vVOWFs they construct [RS97, proof of Theorem 5] do not in general have domains that are in P. In 
contrast, our a does have a domain that is in P, and their method (corrected to remove the “c” problem) 
does preserve associativity (note: we did not say weak associativity), and so is useful to us. 












r(a,b) = a (a, 6); otherwise, define r(a, b) = ao- 

t is a strong, total, commutative AOWF. In particular, r is honest, since for ao, which is 
the only string in the range of r that is not in the range of a, it holds that r(ao, ao) = ao and 
|ao| + |ao| < 2|ao|. Also, r € FP, since a G FP and domain(cr) G P. That r is strong follows 
from the facts that range(cr) C range(r) and a is strong. Finally, to see that r is associative, 
note that if aa(bac ) = _L then ar(bTc) = ao and otherwise ar( 6 rc) = ad(bac). Similarly, if 
( aab)ac = _L then (ar 6 )rc = ao and otherwise (ar 6 )rc = ( aab)ac . The associativity of r 
now follows easily, given that a is associative. The commutativity of r is immediate from 
the definition of r and the commutativity of a (recall our definition of commutativity is 
based on (complete) equality, and thus (a, b) G domain (a) if and only if ( 6 , a) G domain(c)). 
Hence, r is a strong, total, commutative AOWF. | 

Rabi and Sherman emphasize the importance of explicitly exhibiting strong, total 
A v OWFs [RS97], since the cryptographic protocols given in []RS97 j rely on their existence, 
and they also pose as an open issue the problem of whether a strong, total A v OWF can 
be constructed from any given one-way function [RS93]. The proof of Theorem [O] solves 
these open issues. Indeed, the function r defined in the above proof shows how to construct 
a strong, total, commutative AOWF (equivalently, a strong, total, commutative A v OWF) 
based on any clocked NP machine accepting a language in NP — P. Similarly, the proof 
of Theorem 2T shows how, given any one-way function (along with its polynomial runtime 
and honesty bounds), one can obtain a clocked NP machine accepting a language in NP —P. 
Thus, as the title of this paper claims, from any given one-way function one can create a 
strong, total, commutative AOWF (equivalently, a strong, total, commutative A v OWF). 

Finally, we mention briefly the issue of injective (i.e., one-to-one) AOWFs and ADWFs. 
Valiant’s class UP (unambiguous polynomial time [Val7C], see Footnote ||) has long played 
a central role in complexity-theoretic cryptography. Rabi and Sherman give no evidence 
that injective A v OWFs might exist. In fact, they prove that no total ADWF can be 
injective. Thus, in light of Proposition L4.|, no total AOWF can be injective. However, as 
Theorem we show that P ^ UP if and only if injective AvOWFs (and indeed injective 
AOWFs) exist. 

Is the lack of injectivity for total commutative AOWFs and AvOWFs an artifact of 
commutativity? Consider any commutative function a such that there exist elements a and 
b with a 7 ^ b and (a, b) G domain (a). Then a(a,b ) = c a(b,a), and so o is not injective. 
Now let us generalize the notion of injectivity so as to keep the general intuition of its 
behavior, yet so as to not to clash so strongly with commutativity. Given any binary 
function a : E* x £* —>• £*, we say a is unordered-injective if and only if for all a, b,c,d G £*, 
if ( a,b),(c,d ) G domain(cr) and a(a,b) = c cr(c,d), then {a, b} = {c, d}. That is, each 
element x = c <r(a, b) in the range of o has at most one unordered pair {a, 6 } (possibly 
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degenerate, i.e., {a, a} = {a}) as its preimage. If a is commutative, then both orderings of 
this unordered pair, (a, b) and (b, a), will map to x; if not, one cannot know (i.e., a (a, b ) = c x 
but <j(b, a) = c y ^ x is possible). 

Theorem 2.3 The following are equivalent .Q 

1. P^UP. 

2. There exist injective A w OWFs. 

3. There exist injective AOWFs. 

4 . There exist strong, commutative, unordered-injective A w OWFs. 

5. There exist strong, commutative, unordered-injective AOWFs. 


3 Conclusions 


So, in this paper, we have shown that P 7 ^ NP is a sufficient condition for strong, 
total, commutative AOWFs (equivalently, for strong, total, commutative ADWFs) to exist. 
Since by standard techniques (namely, the natural binary-function injectivity-not-required 
analog of a result of Grollmann and Selman [ GS 88 , |Sel92| 1 , see also [ Ko85| 1), P 7 ^ NP 
is also a necessary condition for the existence of such functions, we obtain a complete 
characterization. This characterization solves the conjecture of Rabi and Sherman that 


strong A v OWFs exist [ RS97 |, inasfar as one can solve it without solving the P = NP question. 
Moreover, our proofs have shown how to construct a strong, total, commutative AOWF 
(equivalently, a strong, total, commutative ADWF) from any given one-way function, which 
resolves an open problem of Rabi and Sherman | RS93| 1 . 

We mention that most cryptographic applications are in general concerned with 
average-case complexity and randomized algorithms instead of worst-case complexity and 


“Proof of Theorem 


2.3 


That (|2| 
3). That 


implies (jlj) follows immediately by standard techniques, and by 
|ll), ((if), and (hi) are pairwise equivalent follows as a corollary from 


Proposition 00 > © implies _ 

the proof of Theorem 0 (note, crucially, that if the definition of cr given in that proof is based on some set 
A £ UP — P, then a is unordered-injective, since no string x in A can have more than one witness). So it 
suffices to prove that (Jij) implies Q). Assuming A £ UP — P, define the ianguage A' = {lx \ x £ A}. Cieariy, 
A' £ UP — P. Let M be some LTP machine accepting A'. Le t the poiynomial p and, for each x, iet the 

(note that, for each x £ A! , Wm{x ) now is 


2.1 


witness sets Wm[x) be defined as in the proof of Theorem 
a singleton). Without loss of generality, assume that for each x £ A', the unique witness w certifying that 
x £ A 1 starts with a 1 as its first bit, i.e., w £ IS*. Define the binary function cr : E* x S* —» S* as foliows: 


a(a, b) 


1 

undefined 


if a £ A' and Wm{o) = {&} 
otherwise. 


Let <7 be the extension of cr as in Definition 1.3. Note that for ail a , fo, c £ S*, it holds that ( aab)ac = _L = 


aa(bac) by definition of a. Thus, cr is associative according to Definition 1.3. Also, cr clearly is injective, and 
the standard proof approach (see, e.g., the proof of Theorem 2.1) shows that cr is a one-way function. | 
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deterministic algorithms. However, as Rabi and Sherman stress, the intriguing concept of 
(weakly) associative one-way functions, particularly when they are total and strong and 
ideally in an average-case version, may be expected to be useful in many cryptographic 
applications such as in the key-agreement protocol proposed by Rivest and Sherman in 
1984 (see [RS97]), and may eventually offer elegant solutions to a variety of practical 
cryptographic problems. 


Acknowledgments. We thank Alan Selman for sharing with us his knowledge of the 
history and literature of partial functions, and of Kleene’s work. 
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